Forensics Firm Offers Tools to Defeat iOS 4 Encryption

[MacRumors]

Bright Side of News reports that Russian forensics firm Elcomsoft has discovered a method of cracking Apple's hardware encryption built into iOS 4, providing law enforcement and other parties with a way to access the protected data provided they have physical access to the device.

According to Vladimir Katalov from Elcomsoft, you have to have physical access to the device that is being cracked into:

"Decryption is not possible without having access to the actual device because we need to obtain the encryption keys that are stored in (or computed by) the device and are not dumped or stored during typical physical acquisition."

Elcomsoft offers a basic Phone Password Breaker for Windows priced at $79 for home use and capable of unlocking encrupted backups of BlackBerry and iOS devices. A much more advanced package for iOS 4 devices is available for government agencies, offering access to other information such as passwords, stored email messages, and deleted SMS messages and emails.

Additional details on the decryption processes are available in a blog post on Elcomsoft's site.

Article Link: Forensics Firm Offers Tools to Defeat iOS 4 Encryption

 

[Doctor Q]

The "other parties" we're talking about aren't just governments. I think it means "anybody".

 

[bytethese]

Hmm, interesting. However I wonder if Jon Zdziarski's method is still valid, where you jailbreak but only overwrite the / partition and then ssh into the device to transfer a dd capture over netcat.

I think this method would be faster, transferring 16-32GB of data over wifi for me in the 2.x/3.x days was sloooooow.

 

[dbendixen]

Russian "Forensics" firm, huh? I guess that is this company's effort to seem legitimate.

 

[munkery]

Most of the actually valuable data, such as website logins and emails, is protected by keychain's tied to the user's passcode. This software still has to brute force the user's passcode which is trivial if the simple 4-digit passcode is used.

Even the non-simple passcode can be brute forced easily if the user doesn't follow basic secure password practices. Passwords should include at least one element from the upper case alphabet, lower case alphabet, numbers, and symbols while also being at least 8 characters long.

Using the escrow keys instead of brute forcing the passcode requires access to both the iOS device and a computer running iTunes with which that specific iOS device has been synced.

If you are really paranoid, just make sure that the passcode is sufficiently difficult to brute force and that you delete iTunes, making sure to remove any of it's associated files, after configuring (updating, etc) the iOS device.

 

[longofest]

Most of the actually valuable data, such as website logins and emails, is protected by keychain's tied to the user's passcode. This software still has to brute force the user's passcode which is trivial if the simple 4-digit passcode is used.

Right on. In some sense, this isn't anything new. Brute-forcing a password is certainly nothing new, and we've known for a long time that 4-digit keycodes aren't secure.

But still, kudos to them for creating the tool to do it. I think...

 

[blackboxxx]

delete iTunes, making sure to remove any of it's associated files, after configuring (updating, etc) the iOS device.

Deleting iTunes won't help. The escrow keys are actually stored in /private/var/db/lockdown/ (Windows: %AllUsersProfile%\Apple\Lockdown\).

 

[munkery]

Deleting iTunes won't help. The escrow keys are actually stored in /private/var/db/lockdown/ (Windows: %AllUsersProfile%\Apple\Lockdown\).

I did mention that associated files should be deleted as well.

Honestly, I did not know that specific file needed to be deleted.

So, thanks for that info. Not that I am personally worried about it.

P.S. There seems to be a lot of other data included in the .plist file included in that folder.

Will deleting it cause other issues? Which entry in that .plist file should be deleted? EscrowBag? All of them?

Also, what measures would protect collection of those keys from the computer? It appears to be outside of the range of files protected by FileVault, at least, until the release of OS X Lion.

Would changing your passcode after each sync solve the issue with the escrow keys? What if you also de-authenticated iTunes from your Apple ID? What if iTunes is encrypted with FileVault and the passcode was changed after each sync?

Sorry, this has captured my interest.

 

[munkery]

Update: only need to delete lockdown folder.

I tried a few thing to see what would cause iTunes to prompt for an iOS device's passcode despite already having synced with each other in the past.

This information is most likely not important to most users, including myself, given their requirements in terms of data security but it may be useful for some.

- Changing the passcode after each sync does not cause iTunes to prompt for the iOS device's passcode so the function of the escrow keys is not tied to the passcode.

- Deauthorizing iTunes does not cause iTunes to prompt for the iOS device's passcode to allow syncing the device so the Apple ID is not involved in the process as well.

- Currently, FileVault does not appear to encrypt this folder. This will not be an issue with FileVault in Mac OS X Lion as it will support full disk encryption. Interestingly, it was sometime last year that the lockdown folder was moved from ~/Library/Lockdown to /private/var/db/lockdown. The old location is in an area of the system encrypted by FileVault. Was this an oversight by Apple?

- I suspect access to iTunes is not required given an independent tool was developed to bypass the encryption so no combination that includes deleting or limiting access to iTunes without also deleting the contents of the lockdown folder is effective. Deleting iTunes also most likely does not provide any benefit.

- Encrypting the iOS device's backup has no impact on the lockdown folder but increases security in other ways unrelated to the escrow keys issue.

- As suggested by blackboxxx, deleting the lockdown folder does cause iTunes to prompt the user to enter the iOS device passcode; after which, syncing the device causes the contents of the lockdown folder to be recreated.

- The contents of the lockdown folder only appear to be related to the syncing of iOS devices. The contents can be deleted without issue and are recreated each time you sync the iOS device.

So, a combination of using a secure passcode and deleting the contents of the lockdown folder after each sync can mitigate access to the user's data via the method described in the original post.

Also, it would be trivial to produce a simple app using Automator that would move the contents of the lockdown folder to the trash when run after each syncing of the iOS device.

Admittedly, I don't think this is an issue that users should have to worry about. What if both your computer and iOS device were stolen at the same time? Of course, this is dependent on this method becoming more known in detail than it is at the moment.

 

[snarkies]

So to sum up, as it wasn't quite clear to me, for a regular user who's pc is at home and I lose my iphone, i don't need to worry about this thing?

 

[munkery]

So to sum up, as it wasn't quite clear to me, for a regular user who's pc is at home and I lose my iphone, i don't need to worry about this thing?

As long as your passcode meets the specifications presented in one of the previous posts in this thread, you don't have to worry.

 

[8CoreWhore]

Great, now when your phone gets stolen the thief can get in and turn off find my iPhone feature, etc. thanks Russia! This is the same corrup country apple wants to open up shop in so we get all kinds of compromises. Apple stay away from the mafia-states!